iOS Developer Site at Core of Facebook, Apple Watering Hole Attack

UPDATE – The missing link connecting the attacks against Apple, Facebook and possibly Twitter is a popular iOS mobile developers’ forum called iPhoneDevSDK which was discovered hosting malware in an apparent watering hole attack that has likely snared victims at hundreds of organizations beyond the big three.

It’s not clear whether the site remains infected, but researcher Eric Romang dug into the situation and determined that the site was hosting malicious javascript that was redirecting visitors to another site, min.liveanalytics. That site had been hosting malware as of Jan. 15.

Ian Sefferman, cofounder of a number of sites hosting mobile developer resources including iphonedevsdk, confirmed in a post today that it was part of the attack on Facebook.

“We were never in touch with Facebook, any other companies, or law enforcement before yesterday,” Sefferman told Threatpost today. “We immediately reached out to Facebook’s CSO and have been working together since then. We’d be happy to work with other involved organizations to find out exactly how this hack occurred and who was behind it.”

Sefferman said an administrator account was compromised and the attackers were able to modify a theme on the site and inject malicious javascript.

“As the most widely read, dedicated iOS developer forum, we’re targeted for attacks frequently,” Sefferman wrote, adding that the site’s webhost Vanilla Forums was not to blame in the attacks and that all user passwords have been reset. “We’re still trying to determine the exploit’s exact timeline and details, but it appears as though it was ended by the hacker on Jan. 30.”

This appears to be a textbook watering hole attack where unconnected victims linked by a common interest visit a compromised website which redirects them to the attack site hosting malware. The malware then would enable an attacker to maintain some type of persistence within the target organization.

“In the purest sense, you’ll see very subtle and graceful attempts to compromise sites that have virtually nothing to do with one another in terms of content, but at a higher geo-political level such as with the high tech or defense industrial base, there is a commonality,” said Will Gragido, senior manager for RSA Security’s FirstWatch Advanced Research Intelligence team. “They’ll look for vulnerabilities on the site, post a redirection tag and catch some targets of opportunity affiliated with a target of interest; by doing that, they can go upstream to compromise the target of interest.”

Romang proposed these attacks were not highly targeted against a particular company, and he may be right with a number of reports surfacing that the attacks against Facebook and Apple hit Mac OS X machines with a Java zero-day exploit, and that hundreds of tech and defense industrial base firms may have been hit as well. The attackers may have been trying to gain a widespread foothold inside some popular mobile applications, rather than simply attack Apple or Facebook developers.

“I don’t think it is a ‘highly’ targeted attack, because it is just another watering hole campaign with another Java 0day,” Romang told Threatpost via email. “Maybe what was sophisticated in this case is that the deployed malware was hitting Mac OS X computers.”

Romang’s research indicates the attacks likely started around Jan. 22 when javascript on iphonedevsdk called out three times to min.liveanalytics; the min.liveanalytics domain was registered Dec. 8, 2012. By Jan. 24, min.liveanalytics was down, Romang said. A WayBack Machine cache of the iphonedevsdk site on Jan. 15, however, revealed a Google Chrome warning that malware was present on the site.

Yesterday, Chris Wakelin, a researcher, posted on Twitter that an exploit for CVE-2013-0431 had been discovered in the Cool Exploit Kit. This vulnerability is the second bug discovered by Adam Gowdiak in the MBeanInstantiator in Java in early January which was incompletely patched by Oracle; it enables a complete Java sandbox bypass, Gowdiak wrote on the Full Disclosure mailing list.

Facebook disclosed last Friday that a number of its employees’ laptops had been compromised by malware that targeted a Java zero day and was able to bypass the platform’s sandbox. Apple made its disclosure yesterday that it had been hit by the same crew that attacked Facebook and by the same exploit. The company said that a small number of Mac OS X machines had been infected, but a report by Reuters said that the same attack was used against Apple machines at many other companies.

Twitter, meanwhile, has not fessed up to being part of the same attack, but the timeline corresponds, Romang said. Twitter reported on Feb. 1 that it was alerting users that up to 250,000 accounts may have been compromised and that session tokens and passwords may have been accessed. It also recommended that users disable the Java browser plug-in.

In the meantime, the Java security world has been in total flux during since late last year. Similar watering hole attacks against the Council on Foreign Relations website, as well as a number of human rights and manufacturing sites worldwide, were blamed on fresh Java exploits against previously unreported vulnerabilities. Oracle had also sent out three Java updates between Dec. 11 and Feb. 1, including Java SE 7 Update 11 which changed by default the security settings in Java from medium to high, requiring manual approval for the execution of unsigned Java applets. Likely, the developers compromised in this attack weren’t running an up to date version of Java, or were allowing the execution of untrusted Java apps, Romang said.

Comments (2)

Create an adaptor that will enable digital communication via the power outlet; this will act as a backup to the Internet. Should the backbones (NSF) go down, we have an instant backup Internet via the unshielded power lines, HV, transformers, and RF interference. No wonder NSA is protecting the power grid. Should get at least 300 Mbps on the adaptor.

A tooth (plural teeth) is a small, calcified, whitish build found in the jaws (or mouths) of many vertebrates and occupied to defeat down food. Some animals, explicitly carnivores, also use teeth for the purpose hunting or for defensive purposes. The roots of teeth are covered sooner than gums. Teeth are not made of bone, but rather of multiple tissues of varying density and hardness.

The unrestricted structure of teeth is be like across the vertebrates, although there is sizeable modulation in their show up and position. The teeth of mammals drink esoteric roots, and this pattern is also initiate in some fish, and in crocodilians. In most teleost fish, regardless how, the teeth are attached to the outer outwardly of the bone, while in lizards they are attached to the inner surface of the jaw during a man side. In cartilaginous fish, such as sharks, the teeth are joined beside perplexing ligaments to the hoops of cartilage that construct the jaw.

In the second quarter of 2015 Kaspersky Lab solutions detected and repelled a total of 379,972,834 malicious attacks from online resources. There were 5,903,377 registered notifications about attempte...

Innovative technologies are conquering the financial market, opening up new opportunities for startups. The volume of investment in projects for the banking sector is constantly growing, as is its pot...